#/usr/bin/python # imports of modules import ConfigParser import optparse import os import re import random import string import subprocess import sys # defining some constants AUTHZ_PATH = "authz" HTPWD_PATH = "htpasswd" SVN_DIR_CREATOR = "svn-dir-creator" SVN_BASE = "cpi:/" ADMINS = "administrators" REGULAR = "users" RESTRICTED = "restricted" ALUMNI = "alumni" READ_ACL = "r" WRITE_ACL = "rw" re_separators = re.compile("[\t ,;]+") # helper functions def group_users(users): """ uses the list of users to group them by their group name """ groups = dict() for user in users.values(): if user.group not in groups: groups[user.group] = [] groups[user.group].append(user.name) return groups def set_new_password(name, length=10): """ sets a new password for a username """ characters = string.ascii_letters + string.digits password = "".join(random.choice(characters) for i in range(length)) subprocess.check_call(["htpasswd", "-b", HTPWD_PATH, name, password]) return password def delete_password(name, length=10): """ deletes a password for a username """ # if the user was not added to the password db, the removal will show # an error message that is confusing to the user - at least it confused me # so redirect this to /dev/null with open(os.devnull, 'wb') as devnull: subprocess.check_call(["htpasswd", "-D", HTPWD_PATH, name], stderr=devnull) # class definitions class User(object): """ Collect the username, group and access control lists """ def __init__(self, name, group): """ initialization of the class """ self.name = name self.group = group self.write_acl = [] self.read_acl = [] def __str__(self): """ return a string representation """ return self.name def __repr__(self): """ return a string representation of the object """ return "" % (self.name, self.group) class AuthzConfigParser(ConfigParser.ConfigParser, object): """ custom functions for parsing the "authz" file as used at cpi """ def __init__(self): """ initialization of the class """ self.users = None super(AuthzConfigParser, self).__init__() def optionxform(self, value): """ reset the method to use cases ensitive names """ return str(value) def extract_users(self): """ extract user information from config """ users = dict() # first we go through the groups, as found in the groups section of the # authz file for group, userlist in self.items("groups"): for username in re_separators.split(userlist): if username in users: raise Exception("Found duplicate entry for user " + username) user = User(username, group) users[username] = user # second we scan each section that is related to an svn folder (it # starts with the svn base) for read and write access user entries for section in self.sections(): if section.startswith(SVN_BASE): belongs_to = section.lstrip(SVN_BASE) for (option, value) in self.items(section): if option in users: if value.lower() == WRITE_ACL: users[option].write_acl.append(belongs_to) elif value.lower() == READ_ACL: users[option].read_acl.append(belongs_to) # return the userlist return users def get_folder_info(self, name): """ returns read and write access info of an svn folder """ if not name.startswith(SVN_BASE): name = SVN_BASE + name if not self.has_section(name): return None info = { WRITE_ACL: [], READ_ACL: [] } for (option, value) in self.items(name): if value in (WRITE_ACL, READ_ACL): info[value].append(option) return info def move_user_to_alumni(self, user): """ moves a user to the alumni group and removes every access rights """ for access_to in user.write_acl: folder = SVN_BASE + access_to self.remove_option(folder, user.name) for access_to in user.read_acl: folder = SVN_BASE + access_to self.remove_option(folder, user.name) user.write_acl = [] user.read_acl = [] user.group = ALUMNI delete_password(user.name) def update_user_groups(self, users): """ updates the config settings of the groups section """ groups = group_users(users) for group, userlist in groups.items(): self.set("groups", group, ", ".join(sorted(userlist))) def write_to_file(self): with open(AUTHZ_PATH, "w") as filehandle: self.write(filehandle) def write(self, fp): """Write an .ini-format representation of the configuration state. this is adapted from the original library file. changes: - no default section - group-section at top - rest of section sorted by name """ sorted_keys = sorted(self._sections.keys()) sorting = ["groups"] sorting.extend([k for k in sorted_keys if k <> "groups"]) for section in sorting: fp.write("[%s]\n" % section) for (key, value) in self._sections[section].items(): if key == "__name__": continue if (value is not None) or (self._optcre == self.OPTCRE): key = " = ".join((key, str(value).replace('\n', '\n\t'))) fp.write("%s\n" % (key)) fp.write("\n") if __name__ == "__main__": # create configparser instance config = AuthzConfigParser() # change option name transformation to case sensitive config.optionxform = str # read config file config.read(AUTHZ_PATH) users = config.extract_users() # command line interface: # no option: display info # -g display users in a group # -a add regular user # -r add restricted user # -m move to alumni # -p reset user password parser = optparse.OptionParser( usage="usage: %prog [option] name", description="shows and manipulates svn access rights", epilog="to grant a restricted user access to another folder, you have to carefully edit the authz file") parser.add_option("-g", "--groupinfo", action="store_const", dest="what", const="g", help="display users in a group") parser.add_option("-a", "--add", action="store_const", dest="what", const="a", help="add a regular user") parser.add_option("-r", "--restricted", action="store_const", dest="what", const="r", help="add a restricted user") parser.add_option("-m", "--move", action="store_const", dest="what", const="m", help="move a user to alumni") parser.add_option("-p", "--password", action="store_const", dest="what", const="p", help="reset a user password") options, args = parser.parse_args() if len(args)==0: # no arguments? then display all the users! groups = group_users(users) for name, usernames in groups.items(): print "Users in group '%s':" % name for name in sorted(usernames): print " " + name sys.exit() if len(args)>1: # more than one usename? not here, john boy sys.exit("please provide only one name") name = args[0] if options.what == "g": # show group information groups = group_users(users) if name not in groups: sys.exit("Group not found") print "Users in group '%s':" % name for usernamename in sorted(groups[name]): print " " + usernamename sys.exit() if options.what in ("a", "r"): # add a user, restricted or regular if name in users: sys.exit("Username '%s' already in use" % name) group = RESTRICTED if options.what == "r" else REGULAR users[name] = User(name, group) config.update_user_groups(users) folder = SVN_BASE + name config.add_section(folder) config.set(folder, "@"+RESTRICTED, "") config.set(folder, name, WRITE_ACL) #subprocess.check_call(SVN_DIR_CREATOR + " " + name, shell=True) password = set_new_password(name) print "New password for user '%s': '%s'" % (name, password) config.write_to_file() sys.exit() # from here downwards we need already existent usernames if name not in users: sys.exit("User '%s' not found, use this without a name to get a list of users." % name) user = users[name] if options.what == "m": # move user to alumni groups = group_users(users) if user.group == ALUMNI: sys.exit("User '%s' is already in group '%s'" % (name, ALUMNI)) if user.group == ADMINS: sys.exit("User '%s' is in group '%s', will not moved to '%s'" % (name, ADMINS, ALUMNI)) config.move_user_to_alumni(user) config.update_user_groups(users) config.write_to_file() sys.exit() if options.what == "p": # reset a password password = set_new_password(name) print "New password for user '%s': '%s'" % (name, password) sys.exit() # no option, just a name: # print all the infos connected to a name print "User %s is in group '%s':" % (name, user.group) if user.group == ADMINS: print " Write access is granted to all folders." elif user.write_acl: write_acl = [ SVN_BASE + username for username in user.write_acl ] print " Write access is granted to folders '%s'. " % "', '".join(write_acl) else: print " Write access is NOT granted to any folder" if user.group in (ADMINS, REGULAR): print " Read access is granted to all folders." elif user.read_acl: read_acl = [ SVN_BASE + username for username in user.read_acl ] print " Read access is granted to folders '%s'. " % "', '".join(read_acl) else: print " Read access is NOT granted to any folder" info = config.get_folder_info(name) print "Labjornal %s%s:" % (SVN_BASE, name) write_acl = [ "@" + ADMINS ] + info[WRITE_ACL] print " Write access granted to " + ", ".join(write_acl) read_acl = [ "@" + ADMINS, "@" + REGULAR ] + info[READ_ACL] print " Read access granted to: " + ", ".join(read_acl)